Presently, there are many different type of malicious computer programs, also known as malware, which impose a serious threat to computers and computer networks. Malware can infect a computer and can spread by various mechanisms, such as e-mail, Internet chat, and instant messaging, thereby quickly infecting other computers. Different types of malware can be distinguished by their behavior from relatively innocuous ones (such as those which present annoying messages to the user) to harmful and catastrophic types, including complete destruction of data on the hard drive, which results in loss of data and the possible need to completely restore the operating system and the given applications from a backup copy.
One should note the ambition of the creators of malicious programs to write code which is very hard to treat (an example of malware treatment might be removal or quarantine, and also the restoration of uninfected copies of objects, such as files). In the past, the creators of malicious programs were little concerned about this aspect, since it was more important to many nonprofessional creators of malicious programs to spread the malicious programs with the greatest speed and infect as many computers as possible. With the commercialization of the writing of malicious programs, the goals have also changed—the professional creators of malicious programs often seek to create code segments of complicated structure to guarantee that the malicious programs written by them will not be so easy to treat and remove.
Thus, there is a category of malicious programs today that are specially designed to prevent treatment. For example, malicious programs that prevent treatment usually create many copies of themselves on the same computer, which are executed at the same time, using the threads of different processes. Thus, in this scenario, the malicious program can have one copy of its code which has infected Internet Explorer® (it is executed in the thread of this process), and another copy of its code which infected the Outlook® mail client (i.e., it is executed in the thread of the process of the mail client). When an antivirus software identifies one of the copies of the malicious program (e.g., the copy of the malicious program that infected Internet Explorer®), the antivirus software removes this copy of the malicious program and removes the copy of the executable file which contains the code of the malicious program.
But this is insufficient for malicious programs resistant to treatment—the other copy of the malicious program (in this case, the copy which infected the mail client) determines that the first copy has been removed, and immediately copies itself into that part of working memory where Internet Explorer® resides, again infecting the browser and again launching the thread of the first copy of the malicious program. When the antivirus software finds the second copy (the one that infected the mail client), the whole process occurs precisely in reverse.
One may also note the development of so-called rootkit technologies, by which malicious programs have the ability to hide, limit access and restore the files or OS registry branches needed by them. In this case, if the antivirus is not able to determine the malicious driver which is hiding the malicious files, detection and treatment becomes almost impossible.
Technologies exist at present for fighting such malicious programs. However, the existing technologies do not make possible a stepwise execution of a series of actions guaranteeing the removal of the malicious code from the system. One of the problems in the treatment of malicious programs is that there is no guarantee that the rootkit driver will not be loaded first during boot procedure and hide the malicious files or OS register branches from the antivirus driver that will be performing the search and treatment. Another problem is, for example, the need to load the appropriate drivers during boot procedure (for the file system, for example) in order to be able to remove the malicious objects (e.g. files).
Therefore, there is a need for an improved mechanism for treatment of malware.